Google has built its empire on data about its users. Its strategy may have evolved, but at its core Google is on a mission to understand its users in order to shape our futures around its services. It started with advertising (where Google now dominates) but, as the regulatory environment and scrutiny becomes more burdensome to navigate, Google appears to be on the hunt for new data territory into which it can leap-frog its competitors to become the dominant service provider.
Getting to know "us" – Google/tech users – is no longer just about how we roam around websites, what we watch on YouTube, the music we listen to on Spotify or the posts we like and share on Instagram. Tech providers would like to get to know us on an intimate level: our biology, our physiology and our psychology. Fitbit is the perfect fit for Google's quest to do this, and any statements made by Google or Fitbit about data privacy guarantees or protections need to be considered against the back-drop of both Google's past (and current) behaviour and the regulatory regime within which it makes its commercial decisions.
The reality is that, whilst on paper the GDPR may have ushered in a new era of data privacy in the EU, without strong regulatory enforcement and - perhaps even more importantly - consumer engagement, tech giants such as Google are likely to test the regime to its limits. Google is likely to be making calculated decisions around whether it can risk a fine to extract full value from any deal with Fitbit. Recent announcements by the Information Commissioner's Office in the context of the Cambridge Analytica scandal will likely embolden the tech giants to make these types of commercial risk assessments and take a chance with our personal data.
In fact, Google's data protection policies have already come under regulatory fire. Earlier this year the French data protection authority, the CNIL, found that Google didn't have valid consumer consent for personal advertising and issued a €50 million fine. One of the reasons for the fine was that consent was not specific to a particular purpose or even a distinct Google service. Instead users only had the option to consent in full, for all the processing operations carried out by Google across its services. Such bundling of consents could mean that it simply will not be clear to Fitbit users how their data may be used by Google in the future.
These concerns are potentially even greater in the case of the Fitbit merger because Google is already deeply invested in the healthcare space, and has a chequered past with health related data. In 2016 a UK based Google subsidiary DeepMind, which specialises in AI, entered into a controversial agreement with the Royal Free NHS Trust under which 1.6 million UK patients' personal medical details were passed and processed (via third parties) to DeepMind. The Information Commissioner later ruled that the Royal Free had failed to comply with the Data Protection Act when it provided patient details to DeepMind, as it had not properly informed patients about how their data would be used. The transfer from the Royal Free to DeepMind was found to be unlawful, yet no action has been taken to prevent DeepMind from using the data. Many critics of the deal also point to gaps in the arrangement with DeepMind that do not appear to restrict the company's ability to process the data only for the purpose of developing an app (Streams) to manage acute kidney injury.
The relationship between DeepMind and the NHS, and use of this data by Google, has also been further complicated by the recent internal shuffling of DeepMind to be officially merged into US based Google Health. Despite the controversy, five NHS Trusts (including the Royal Free) with commercial arrangements to develop Streams with DeepMind have recently been reported to have transferred their contracts from the UK based DeepMind to Google Health. Again, this is raising concerns as to exactly what is happening with UK patient data, especially as Google Health has scrapped the internal ethics panel which operated in DeepMind, and will no longer be publishing its contracts with the NHS.
Ultimately whether Google will receive competition/anti-trust approval for the deal remains to be seen. Given that both the European Commission and the UK's national competition authority (the Competition and Markets Authority) have been homing in on big tech - and Google in particular, Google will undoubtedly face a monumental struggle to prove that the deal won't be another headache that the regulators may have to deal with in a few years. Google/DoubleClick, for instance, is an example of unforeseen consequences that have led to significant competition issues in Adtech and more broadly the entire ecosystem of the internet. Further, the CMA in particular will have the Furman Review, and the recommendations made in that report to tighten up their merger control regimes in the context of digital mergers, ringing in its ears.
Google may want to exercise caution when making statements about how it will use Fitbit's data in the future. Facebook was fined £110 million in 2017 for providing misleading information about how it would use customer data. When Facebook notified the acquisition of WhatsApp in 2014, it informed the Commission that it would be unable to establish reliable automated matching between Facebook users' accounts and WhatsApp users' accounts. It stated this both in the notification form and in a reply to a request of information from the Commission. However, in August 2016, WhatsApp announced updates to its terms of service and privacy policy, including the possibility of linking WhatsApp users' phone numbers with Facebook users' identities. A cynic might say that this is another example of big tech's assessment of the opportunity cost, but it should at least be part of Google's calculation.